# Grype vulnerability scanning configuration for central-services-stream
# This is a library project without Docker images, so we use source scanning
scan-type: source

# Enable vulnerability scanning
disabled: false

# Vulnerability ignore rules
# Add specific CVEs here if they are false positives or acceptable risks
ignore:
  # Example format for ignoring specific vulnerabilities:
  # - vulnerability: "CVE-2023-xxxxx"
  #   reason: "False positive in dev dependency that doesn't affect production"
  # - vulnerability: "GHSA-xxxx-xxxx-xxxx"
  #   package:
  #     name: "package-name"
  #     version: "1.0.0"
  #   reason: "Not exploitable in our usage context"
  - vulnerability: "GHSA-p5wg-g6qr-c7cg"
    reason: "is incompatible with standard@17.1.2. ESLint 9 removed several options (extensions, useEslintrc, resolvePluginsRelativeTo) that standard-engine relies on. The standard package requires eslint@^8.41.0"

# Output formats for scan results
output:
  - "table"  # Human-readable table format
  - "json"   # Machine-readable JSON for further processing

# Grype configuration options
quiet: false                    # Show progress and status messages
check-for-app-update: false     # Don't check for Grype updates during CI
only-fixed: false               # Show all vulnerabilities, not just those with fixes
add-cpes-if-none: false         # Don't add CPEs if none are found
by-cve: false                   # Group by vulnerability rather than CVE

# Database settings
db:
  auto-update: true             # Auto-update the vulnerability database
  validate-age: true            # Validate the age of the vulnerability database
  max-allowed-built-age: 120h   # Maximum age of the vulnerability database (5 days)

# Severity thresholds (handled by the orb, but documented here for clarity)
# The build will fail on Critical, High, or Medium severity vulnerabilities
# Low and Negligible severities are reported but won't fail the build